HTML - Cross-site request forgery (CSRF)

Table of Contents

1 - About

If a site allows a user to make form submissions with user-specific side-effects, for example:

posting messages on a forum under the user's name,

making purchases,

or applying for a passport,

it is important to verify that the request was made by the user intentionally, rather than by another site tricking the user into making the request unknowingly.

This problem exists because HTML forms can be submitted to other origins. Sites can prevent such attacks by populating forms with user-specific hidden tokens, or by checking Origin headers on all requests.